Internet Explorer RCE Fix Highlights June's Security Update

Microsoft released its June patch today, which includes three "critical" security items and four "important" bulletins.

All told, this month's patch is delivering fixes for 26 issues in Microsoft's software. In addition to IE, affected software includes Windows components, the .NET Framework, Lync and Microsoft Dynamics AX.

Bulletin MS12-037, which addresses 12 vulnerabilities in Microsoft's Internet Explorer, should be prioritized first, according to the company. This "cumulative" update blocks an attacker from leveraging a remote code execution (RCE) attack after a harmful Web link is viewed. What makes this item priority No. 1 is the fact that at least one of the 12 holes has already been spotted being exploited in the wild.

Next on the priority list should be bulletin MS12-036. This item takes care of a privately reported RCE vulnerability that affects those systems that have the Remote Desktop Protocol (RDP) enabled. (By default, RDP is not enabled in Windows without user action.) If left unpatched, attackers could remotely access a system "if an attacker sends a sequence of specially crafted RDP packets to an affected system," according to Microsoft.

For those who cannot update in the immediate future, Wolfgang Kandek, Qualys' CTO, describes a workaround.

"Similar to MS12-020, using NLM to authenticate RDP sessions is a valid work-around, and we recommend looking into configuring NLM as the standard authentication mechanism as a hardening measure," wrote Kandek in an e-mail.

The final critical item (bulletin MS12-038) takes care of yet another RCE flaw. This time, the bug is found in Microsoft's .NET Framework and can be initialized if a specially crafted Web site is opened using a browser that supports XAML Browser Applications (XBAPs). Alternatively, the flaw can also be exploited if an attacker uses "Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions." In both situations, the risk is lowered if user privileges on the system are limited.

The final four items for this month address issues that aren't as high of a risk as the previously discussed bulletins and should be applied only after proper testing is completed. They include:

MS12-039: Fixes a publicly disclosed RCE flaw in Microsoft Lync that can be executed if a file containing harmful TrueType fonts are opened.

MS12-040: The first elevation-of-privilege fix for this month repairs an issue in Microsoft Dynamics AX Enterprise Portal and reduces the risk to users that open a specially crafted URL located in an e-mail.

MS12-041: Using a flaw in the Windows Kernel drivers, an attacker can leverage an elevation-of-privilege attack if a malicious application is loaded on an unpatched system. The risk is low in this situation, as the attacker would need access to the system and authentic login credentials to pull it off.

MS12-042: Similar to the previous bulletin, this item is another elevation-of-privilege fix for the Windows Kernel.

Along with this month's patch, Microsoft provided information that it was releasing an enhancement to its Windows update service for untrusted certificates in Windows 7 and Vista. This effort follows a discovery that the Flame malware was able to spread by using fake security certificates to trick antivirus programs into thinking it was an authentic Microsoft program. The new enhanced update service will automatically send daily information to systems about flagged certificates and will label them as "untrusted." In the past, this information was only sent to systems after a manual installation had occurred.

Microsoft's Angela Gunn of the Trustworthy Computing group also discussed an additional certificate security feature that will arrive in the near future.

"Adding to our defense-in-depth measures, in August, we will release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority."

She indicated that Microsoft was giving early notice so that those using certificates smaller than 1024 bits can have time to update them before Windows flags them as untrusted. More information on Microsoft's certificate announcement can be found here.